CN105205400B - Module loading method and device and electronic equipment - Google Patents

Module loading method and device and electronic equipment Download PDF

Info

Publication number
CN105205400B
CN105205400B CN201510544043.0A CN201510544043A CN105205400B CN 105205400 B CN105205400 B CN 105205400B CN 201510544043 A CN201510544043 A CN 201510544043A CN 105205400 B CN105205400 B CN 105205400B
Authority
CN
China
Prior art keywords
module
new process
address
new
load address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510544043.0A
Other languages
Chinese (zh)
Other versions
CN105205400A (en
Inventor
王鑫
刘桂峰
姚辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201510544043.0A priority Critical patent/CN105205400B/en
Publication of CN105205400A publication Critical patent/CN105205400A/en
Application granted granted Critical
Publication of CN105205400B publication Critical patent/CN105205400B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a module loading method, a module loading device and electronic equipment, wherein the method comprises the following steps: detecting whether a new process is started; if the new process is detected to be started, generating a new loading address of a module of the new process according to a preset address generation rule; and loading the module of the new process according to the new loading address and the size of the memory space occupied by the module. By applying the embodiment of the invention, before the module of the new process is loaded according to the preassigned loading address, the new loading address of the module of the new process is generated, and the module is loaded according to the generated new loading address. Even if a hacker obtains a new load address of the module, the hacker can hardly obtain the pre-specified load address of the module through the new load address, and further cannot search an instruction fragment suitable for attack through the pre-specified load address to attack, so that the protection of the computer against ROP attack is improved, and the safety of the computer is improved.

Description

A kind of module loading method, apparatus and electronic equipment
Technical field
The present invention relates to computer security technique field, more particularly to a kind of module loading method, apparatus and electronic equipment.
Background technology
Windows XP systems are that Microsoft releases the operating system used for PC.Hacker is to meter in order to prevent The attack of calculation machine, Microsoft are proposed a security tool EMET (Enhanced Mitigation Experience Tool is experienced in Toolkit, enhancing mitigation).Its basic functional principle is:
According to the size of module preassigned address and committed memory space to process, the module loading of process is arrived In memory;After the module loading to memory by process, the address and memory headroom that are loaded into the module in memory are carried out Application, pressure system carry out randomization, the destination address after being randomized to the address for being loaded into the module in memory; According to the size of destination address and committed memory space after randomization, the module of process is re-loaded in memory;It will be into Above-mentioned application is distributed in the address and memory headroom that the module original of journey occupies.
But module is loaded using EMET security tools, to ROP (Return-oriented programming, Return be oriented to programming) attack protective it is bad, be mainly reflected in using EMET security tools by the module of process according to pre- It is empty to the address and memory for occupying the module original of process to be loaded into memory for the first size of specified address and committed memory space Between re-start distribution during, hacker possible with ROP attack technologies obtained from memory process module original occupy Address, and then by the address find suitable for attack instruction segment, and by each instruction segment searched out splice Get up, is attacked.
Invention content
The embodiment of the present invention is designed to provide a kind of module loading method, apparatus and electronic equipment, is calculated with improving The protection that machine attacks ROP.
In order to achieve the above objectives, the embodiment of the invention discloses a kind of module loading methods, including:
New process initiation is detected whether;
If having detected new process initiation, carried out according to preassigned load address in the module to the new process Before load, according to pre-set address create-rule, the new load address of the module of the new process is generated;
According to the size in the module committed memory space of the new load address and the new process that are generated, described in load The module of new process.
Optionally, the new load of the module of the new process is generated according to pre-set address create-rule described Before address, further include:
Judge whether the new process is to need process to be protected;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
In the case where the new process is to need process to be protected, according to pre-set address create-rule, generate The new load address of the module of the new process.
Optionally, described to judge whether the new process is need process to be protected, including:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If Have, is then determined as the new process needing process to be protected.
Optionally, described according to the module committed memory space of the new load address generated and the new process Size before the module for loading the new process, further includes:
Remove the data that module binding imports in table makes module loading described in the binding input mechanism of disabled module New load address.
Optionally, the module of the new process is primary module, and there are relocation tables in primary module;Or the new process Module is system module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
Optionally, the module of the new process is primary module, and relocation table is not present in primary module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
By preassigned load address, it is determined as the new load address of the module of the new process.
Optionally, the module of the new process is system module:The method further includes:
According to the size of preassigned load address and the module committed memory space of the new process, fill accurate in advance Standby jump instruction.
Optionally, further include:
Record the preassigned load address of all modules of the new process;
Capture the exception that the new process occurs;
Judge to whether there is the captured corresponding address of exception in recorded load address;
If it is present having prompted the user with flooding.
In order to achieve the above objectives, the embodiment of the invention discloses a kind of module loading devices, including:Detection unit, address Generation unit and loading unit, wherein
The detection unit, for detecting whether there is new process initiation;
Described address generation unit, in the case where the detection unit has detected new process initiation, to institute State new process module loaded according to preassigned load address before, according to pre-set address create-rule, Generate the new load address of the module of the new process;
The loading unit, new load address and the new process for generating according to described address generation unit The size in module committed memory space loads the module of the new process.
Optionally, further include:First judging unit,
First judging unit, for judging whether the new process is to need process to be protected;
Described address generation unit, is specifically used for:
The case where new process initiation and the first judging unit judging result are to be has been detected in the detection unit Under, before the module to the new process is loaded according to preassigned load address, according to pre-set address Create-rule generates the new load address of the module of the new process.
Optionally, first judging unit, is specifically used for:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If Have, is then determined as the new process needing process to be protected.
Optionally, further include:Data dump unit,
The data dump unit is inputted for removing the data in module binding importing table with the binding of disabled module Mechanism makes module loading to the new load address.
Optionally, the module of the new process is primary module, and there are relocation tables in primary module;Or the new process Module is system module;
Described address generation unit, is specifically used for:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
Optionally, the module of the new process is primary module, and relocation table is not present in primary module;
Described address generation unit, is specifically used for:
By preassigned load address, it is determined as the new load address of the module of the new process.
Optionally, the module of the new process is system module:
Further include:Jump instruction fills unit,
The jump instruction fills unit, for being occupied according to the module of preassigned load address and the new process The size of memory headroom fills pre-prepd jump instruction.
Optionally, further include:Recording unit, exception catching unit, second judgment unit and prompt unit, wherein
The recording unit, the preassigned load address of all modules for recording the new process;
The exception catching unit, the exception occurred for capturing the new process;
The second judgment unit whether there is the exception in the load address for judging the recording unit records The corresponding address of exception that capturing unit captures;
The prompt unit, in the case where the second judgment unit judging result is to be, having prompted the user with Flooding.
In order to achieve the above objectives, the embodiment of the invention discloses a kind of electronic equipment, including:Processor, memory, communication Interface and bus;
The processor, the memory are connected by the bus with the communication interface and complete mutual lead to Letter;
The memory stores executable program code;
The processor can perform to run with described by reading the executable program code stored in the memory The corresponding program of program code, for executing any one module loading method that the embodiment of the present invention is provided.
As seen from the above technical solutions, an embodiment of the present invention provides a kind of module loading method and device, detection is It is no to have new process initiation;If having detected new process initiation, to the module of the new process according to preassigned load Before address is loaded, according to pre-set address create-rule, the new load address of the module of the new process is generated; According to the size in the module committed memory space of the new load address and the new process that are generated, the new process is loaded Module.The technical solution provided using the embodiment of the present invention, to the module of new process according to preassigned load address Before being loaded, the new load address of the module of new process is just generated, by the module of new process according to the new load of generation Address is loaded.Even if hacker obtains the new load address of module, it is also difficult to obtain the pre- of module by new load address First specified load address, and then cannot be found by preassigned load address and be carried out suitable for the instruction segment of attack Attack, improves the protection that computer attacks ROP, improves the safety of computer.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Obtain other attached drawings according to these attached drawings.
Fig. 1 is the first flow diagram of module loading method provided in an embodiment of the present invention;
Fig. 2 is second of flow diagram of module loading method provided in an embodiment of the present invention;
Fig. 3 is the third flow diagram of module loading method provided in an embodiment of the present invention;
Fig. 4 is the 4th kind of flow diagram of module loading method provided in an embodiment of the present invention;
Fig. 5 is the first structural schematic diagram of module loading device provided in an embodiment of the present invention;
Fig. 6 is second of structural schematic diagram of module loading device provided in an embodiment of the present invention;
Fig. 7 is the third structural schematic diagram of module loading device provided in an embodiment of the present invention;
Fig. 8 is the 4th kind of structural schematic diagram of module loading device provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts Embodiment shall fall within the protection scope of the present invention.
Below by specific embodiment, the present invention is described in detail.
Fig. 1 is the first flow diagram of module loading method provided in an embodiment of the present invention, may include:
S101:It has detected whether new process initiation, if having detected new process initiation, has executed S102;
S102:Before the module to the new process is loaded according to preassigned load address, according to advance The address create-rule of setting generates the new load address of the module of the new process;
S103:According to the size in the module committed memory space of the new load address and the new process that are generated, add Carry the module of the new process.
Illustratively, it is illustrated by taking a process X of a certain browser as an example below.
Assuming that process X includes three modules, respectively module a, module b and module c.Preassigned module a's adds Set address is:The load address of 00030000H, preassigned module b is:00040000H's, preassigned module c adds Set address is:00050000H;
In practical applications, preassigned load address is also usually generally referred to by those skilled in the art as module suggestion base Location suggests loading address, preferential loading address etc..
When detecting that process X starts, to the module a, module b and module c of process X according to preassigned load Before location is loaded, according to pre-set address create-rule, the new load address of the module of the new process is generated.
Assuming that pre-set address create-rule is:100H is deviated on the basis of preassigned load address, then The new load address of the module a of generation is:The new load address of 00030100H, the module b of generation is:00040100H is generated The new load address of module c be:00050100H.
According to the new load address 00040100H of the new load address 00030100H of newly-generated module a, module b, mould The new load address 00050100H and module a of block c, module b, module c difference committed memories space size, to module a, Module b and module c are loaded.
In practical applications, the module of the new process is primary module, and there are relocation tables in primary module;Or it is described new The module of process is system module;Address can be generated at random, using the address generated at random as the module of the new process New load address.The new load address of the module generated at this time will be constrained no longer by the preassigned load address of module, and And using the random method for generating address, increase the preassigned load address that hacker obtains module.
Illustratively, it is assumed that according to the random method for generating address, the new load address of generation module a is: The new load address of 003514D0H, generation module b is:The new load address of 0054250CH, generation module c is: 0064578FH。
According to the new load address 0054250CH, module c of the new load address 003514D0H of the module a of generation, module b New load address 0064578FH and module a, module b, module c difference committed memory space size, to module a, module B and module c are loaded.
In practical applications, the module of the new process is primary module, and relocation table is not present in primary module;It can incite somebody to action Preassigned load address is determined as the new load address of the module of the new process.
In practical applications, the new load address of Process part module can be generated, such as only generates the new of specified module Load address;The new load address of all modules of process can also be generated, wherein including primary module and system module.Generate into In the case of the new load address of Cheng Suoyou modules so that hacker also can not construct ROP using primary module and/or system module It is attacked.
In practical applications, in the case where the module of new process is system module, can also be added according to preassigned The size in the module committed memory space of set address and the new process, fills pre-prepd jump instruction, specifically, to rising The memory headroom that beginning address is the preassigned load address of module, space size is module committed memory space size carries out Shen Please;Addition JMP instructions at all overall situation functions (function for not supporting reorientation), execute JMP and refer in the modules of process Enable so that all overall situation functions in modules jump to load the module memory headroom in continue to execute, ensure into The normal operation of journey.
It should be noted that above-mentioned illustrate by taking the process X of a certain browser as an example, only of the invention one is specific real Example, does not constitute limitation of the invention.
Using embodiment illustrated in fig. 1 of the present invention, add according to preassigned load address in the module to new process Before load, just generate the new load address of the module of new process, by the module of new process according to generation new load address into Row load.Even if hacker obtains the new load address of module, it is also difficult to obtain preassigning for module by new load address Load address, and then cannot by preassigned load address find suitable for attack instruction segment attacked, The protection that computer attacks ROP is improved, the safety of computer is improved.
Fig. 2 is second of flow diagram of module loading method provided in an embodiment of the present invention, real shown in Fig. 2 of the present invention On the basis of applying example embodiment shown in Fig. 1, increase S104:Judge whether the new process is to need process to be protected.
Specifically, judging whether the new process is to need process to be protected, it can be determined that pre-stored process configuration Whether with the new process corresponding information has been recorded in information table;If so, then the new process is determined as needing to protect Process.
Illustratively, it is illustrated by taking a process X of a certain browser as an example below.
Before process X calling system functions MiMapViewOfImageSection mapping mirror memories, Hook skills are utilized Art adds the program segment for handling message in the module of process X, is called by system, which is linked into system.Often When specific message is sent out, before no arrival purpose window, which just first captures the message, that is, the program segment first obtains To control.At this moment the program segment can be to the message working process.
Assuming that pre-stored process configuration information table stores 5 relevant information of process (such as process title, process ID number etc.), 5 processes are respectively process M, process N, process A, process X, process F;The message captured using Hook technologies For the title X of new process;Judge to whether there is information corresponding with process X, judging result in pre-stored configuration information table It is yes, then is determined as process X needing process to be protected.
It should be noted that above-mentioned illustrate by taking the process X of a certain browser as an example, only of the invention one is specific real Example, does not constitute limitation of the invention.
Using embodiment illustrated in fig. 2 of the present invention, randomization only is carried out to the address for needing the module of process to be protected, Avoid the appearance of compatibility issue caused by the module randomization possibility to all processes.
Fig. 3 is the third flow diagram of module loading method provided in an embodiment of the present invention, real shown in Fig. 3 of the present invention It applies and increases S105 on the basis of example embodiment shown in Fig. 1:The data that module binding imports in table are removed, with tying up for disabled module Determine input mechanism, makes module loading to the new load address.
Using embodiment illustrated in fig. 3 of the present invention, the data in module binding importing table are removed, are avoided module loading The appearance of the problem of to preassigned load address.
Fig. 4 is the 4th kind of flow diagram of module loading method provided in an embodiment of the present invention, real shown in Fig. 4 of the present invention It applies and increases following four step on the basis of example embodiment shown in Fig. 1;
S106:Record the preassigned load address of all modules of the new process;
S107:Capture the exception that the new process occurs;
S108:Judge to whether there is the captured corresponding address of exception in recorded load address;If so, holding Row S109;
S109:Flooding is prompted the user with.
Illustratively, it is illustrated by taking a process X of a certain browser as an example below.
Assuming that process X includes three modules, respectively module a, module b and module c.Preassigned module a's adds Set address is:The load address of 00030000H, preassigned module b is:00040000H's, preassigned module c adds Set address is:00050000H;
Specifically, Hook technologies can be utilized to add the preassigned load address for logging modle in process X And the program segment of the function of capture process exception;All modules in current process are traversed, and preassigned to modules Load address is recorded;After the module of process X is loaded according to the new load address of generation, start the exception occurred to process It is captured;
Assuming that the corresponding address of the exception captured is 0005425FH, judge to whether there is in the load address of record 0005425FH, judging result are no, then have not prompted the user with flooding;
Assuming that the corresponding address of the exception captured is 00040000H, judge to whether there is in the load address of record 00040000H, judging result are yes, then have prompted the user with flooding.
It should be noted that above-mentioned illustrate by taking the process X of a certain browser as an example, only of the invention one is specific real Example, does not constitute limitation of the invention.
Using embodiment illustrated in fig. 4 of the present invention, user can be made to have known whether that hacker attacks system, Jin Eryong Family can make system further protection.
Corresponding with above-mentioned embodiment of the method, the embodiment of the present invention also provides a kind of module loading device
Fig. 5 is the first structural schematic diagram of module loading device provided in an embodiment of the present invention, may include:Detection is single Member 201, scalar/vector 202 and loading unit 203, wherein
Detection unit 201, for detecting whether there is new process initiation;
Scalar/vector 202, in the case where detection unit 201 has detected new process initiation, to described It is raw according to pre-set address create-rule before the module of new process is loaded according to preassigned load address At the new load address of the module of the new process;
In practical applications, the module of the new process can be primary module, and there are relocation tables in primary module;It is described The module of new process can also be system module;Scalar/vector 202 shown in the embodiment of the present invention, specifically can be used for:
In the case where detection unit 201 has detected new process initiation, to the module of the new process according to advance Before specified load address is loaded, address is generated at random, using the address generated at random as the module of the new process New load address.
In practical applications, the module of the new process can be primary module, and relocation table is not present in primary module;This Scalar/vector 202 shown in inventive embodiments, specifically can be used for:
In the case where detection unit 201 has detected new process initiation, to the module of the new process according to advance Before specified load address is loaded, by preassigned load address, it is determined as the new of the module of the new process and adds Set address.
Loading unit 203, the mould of new load address and the new process for being generated according to scalar/vector 202 The size in block committed memory space loads the module of the new process.
In the case where the module of the new process is system module, can also include:Jump instruction fills unit is (in figure It is not shown),
Jump instruction fills unit, for the module committed memory according to preassigned load address and the new process The size in space fills pre-prepd jump instruction.
Using embodiment illustrated in fig. 5 of the present invention, add according to preassigned load address in the module to new process Before load, just generate the new load address of the module of new process, by the module of new process according to generation new load address into Row load.Even if hacker obtains the new load address of module, it is also difficult to obtain preassigning for module by new load address Load address, and then cannot by preassigned load address find suitable for attack instruction segment attacked, The protection that computer attacks ROP is improved, the safety of computer is improved.
Fig. 6 is second of structural schematic diagram of module loading device provided in an embodiment of the present invention, real shown in Fig. 6 of the present invention It applies and increases on the basis of example embodiment shown in Fig. 5:First judging unit 204, wherein
First judging unit 204, for judging whether the new process is to need process to be protected;
The first judging unit 204, specifically can be used for shown in the embodiment of the present invention:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If Have, is then determined as the new process needing process to be protected.
Scalar/vector 202 shown in the embodiment of the present invention, specifically can be used for:
Detect that new process initiation and 204 judging result of the first judging unit are yes in the detection unit 201 In the case of, before the module to the new process is loaded according to preassigned load address, according to pre-setting Address create-rule, generate the new load address of the module of the new process.
Using embodiment illustrated in fig. 6 of the present invention, randomization only is carried out to the address for needing the module of process to be protected, Avoid the appearance of compatibility issue caused by the module randomization possibility to all processes.
Fig. 7 is the third structural schematic diagram of module loading device provided in an embodiment of the present invention, real shown in Fig. 7 of the present invention It applies and increases on the basis of example embodiment shown in Fig. 5:Data dump unit 205, wherein
Data dump unit 205 inputs machine for removing the data in module binding importing table with the binding of disabled module System, makes module loading to the new load address.
Using embodiment illustrated in fig. 7 of the present invention, the data in module binding importing table are removed, are avoided module loading The appearance of the problem of to preassigned load address.
Fig. 8 is the 4th kind of structural schematic diagram of module loading device provided in an embodiment of the present invention, real shown in Fig. 8 of the present invention It applies and increases on the basis of example embodiment shown in Fig. 5:Recording unit 206, exception catching unit 207,208 and of second judgment unit Prompt unit 209, wherein
Recording unit 206, the preassigned load address of all modules for recording the new process;
Exception catching unit 207, the exception occurred for capturing the new process;
Second judgment unit 208, for judge recording unit 206 record load address in whether there is exception catching list The corresponding address of exception that member 207 captures;
Prompt unit 209, in the case where 208 judging result of second judgment unit is to be, having prompted the user with excessive Go out attack.
In practical applications, the recording unit 206 of the embodiment of the present invention, exception catching unit 207, second judgment unit 208 and prompt unit 209 can also increase on the basis of embodiment and embodiment illustrated in fig. 7 shown in Fig. 6.
Using embodiment illustrated in fig. 8 of the present invention, user can be made to have known whether that hacker attacks system, Jin Eryong Family can make system further protection.
In addition, the embodiment of the present invention additionally provides a kind of electronic equipment, may include:
Processor, memory, communication interface and bus;
The processor, the memory are connected by the bus with the communication interface and complete mutual lead to Letter;
The memory stores executable program code;
The processor can perform to run with described by reading the executable program code stored in the memory The corresponding program of program code, for executing the module loading method that the embodiment of the present application is provided;Wherein, the application is implemented The module loading method that is there is provided of example may include:
New process initiation is detected whether;
If having detected new process initiation, carried out according to preassigned load address in the module to the new process Before load, according to pre-set address create-rule, the new load address of the module of the new process is generated;
According to the size in the module committed memory space of the new load address and the new process that are generated, described in load The module of new process.
Wherein, the new load ground of the module of the new process is generated according to pre-set address create-rule described Before location, can also include:
Judge whether the new process is to need process to be protected;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, it can be with Including:
In the case where the new process is to need process to be protected, according to pre-set address create-rule, generate The new load address of the module of the new process.
Wherein, described to judge whether the new process is to need process to be protected, may include:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If Have, is then determined as the new process needing process to be protected.
Wherein, described according to the big of the module committed memory space of the new load address generated and the new process It is small, before the module for loading the new process, can also include:
Remove the data that module binding imports in table makes module loading described in the binding input mechanism of disabled module New load address.
Wherein, the module of the new process is primary module, and there are relocation tables in primary module;Or the mould of the new process Block is system module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, it can be with Including:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
Wherein, the module of the new process is primary module, and relocation table is not present in primary module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, it can be with Including:
By preassigned load address, it is determined as the new load address of the module of the new process.
Wherein, the module of the new process is system module:The method can also include:
According to the size of preassigned load address and the module committed memory space of the new process, fill accurate in advance Standby jump instruction.
Wherein, can also include:
Record the preassigned load address of all modules of the new process;
Capture the exception that the new process occurs;
Judge to whether there is the captured corresponding address of exception in recorded load address;
If it is present having prompted the user with flooding.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, identical similar portion between each embodiment Point just to refer each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality For applying example, since it is substantially similar to the method embodiment, so description is fairly simple, related place is referring to embodiment of the method Part explanation.
One of ordinary skill in the art will appreciate that all or part of step in realization above method embodiment is can It is completed with instructing relevant hardware by program, the program can be stored in computer read/write memory medium, The storage medium designated herein obtained, such as:ROM/RAM, magnetic disc, CD etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention It is interior.

Claims (15)

1. a kind of module loading method, which is characterized in that including:
New process initiation is detected whether;
If having detected new process initiation, loaded according to preassigned load address in the module to the new process Before, according to pre-set address create-rule, the new load address of the module of the new process is generated;
The data that module binding imports in table are removed, with the binding input mechanism of disabled module, module loading are made newly to add to described Set address;
According to the size in the module committed memory space of the new load address and the new process that are generated, load it is described newly into The module of journey.
2. according to the method described in claim 1, it is characterized in that, described according to pre-set address create-rule, life Before new load address at the module of the new process, further include:
Judge whether the new process is to need process to be protected;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
In the case where the new process is to need process to be protected, according to pre-set address create-rule, described in generation The new load address of the module of new process.
3. according to the method described in claim 2, it is characterized in that, it is described judge the new process whether be need it is to be protected into Journey, including:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If so, then The new process is determined as to need process to be protected.
4. according to the method described in claim 1, it is characterized in that, the module of the new process is primary module, and in primary module There are relocation tables;Or the module of the new process is system module;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
5. according to the method described in claim 1, it is characterized in that, the module of the new process is primary module, and in primary module There is no relocation tables;
It is described that the new load address of the module of the new process is generated according to pre-set address create-rule, including:
By preassigned load address, it is determined as the new load address of the module of the new process.
6. according to the method described in claim 4, it is characterized in that, the module of the new process is system module:The method Further include:
According to the size of preassigned load address and the module committed memory space of the new process, filling is pre-prepd Jump instruction.
7. the method according to claim 1, which is characterized in that further include:
Record the preassigned load address of all modules of the new process;
Capture the exception that the new process occurs;
Judge to whether there is the captured corresponding address of exception in recorded load address;
If it is present having prompted the user with flooding.
8. a kind of module loading device, which is characterized in that including:Detection unit, scalar/vector, data dump unit and add Carrier unit, wherein
The detection unit, for detecting whether there is new process initiation;
Described address generation unit, in the case where the detection unit has detected new process initiation, to described new Before the module of process is loaded according to preassigned load address, according to pre-set address create-rule, generate The new load address of the module of the new process;
The data dump unit, for removing the data in module binding importing table, with the binding input mechanism of disabled module, Make module loading to the new load address;
The loading unit, the module of new load address and the new process for being generated according to described address generation unit The size in committed memory space loads the module of the new process.
9. device according to claim 8, which is characterized in that further include:First judging unit,
First judging unit, for judging whether the new process is to need process to be protected;
Described address generation unit, is specifically used for:
In the case where the detection unit has detected that new process initiation and the first judging unit judging result are to be, Before the module to the new process is loaded according to preassigned load address, generated according to pre-set address Rule generates the new load address of the module of the new process.
10. device according to claim 8, which is characterized in that first judging unit is specifically used for:
Judge whether to have recorded information corresponding with the new process in pre-stored process configuration information table;If so, then The new process is determined as to need process to be protected.
11. device according to claim 8, which is characterized in that the module of the new process is primary module, and in primary module There are relocation tables;Or the module of the new process is system module;
Described address generation unit, is specifically used for:
It is random to generate address, using the address generated at random as the new load address of the module of the new process.
12. device according to claim 8, which is characterized in that the module of the new process is primary module, and in primary module There is no relocation tables;
Described address generation unit, is specifically used for:
By preassigned load address, it is determined as the new load address of the module of the new process.
13. according to the devices described in claim 11, which is characterized in that the module of the new process is system module:
Further include:Jump instruction fills unit,
The jump instruction fills unit, for the module committed memory according to preassigned load address and the new process The size in space fills pre-prepd jump instruction.
14. device according to claim 8, which is characterized in that further include:Recording unit, exception catching unit, second are sentenced Disconnected unit and prompt unit, wherein
The recording unit, the preassigned load address of all modules for recording the new process;
The exception catching unit, the exception occurred for capturing the new process;
The second judgment unit whether there is the exception catching in the load address for judging the recording unit records The corresponding address of exception that elements capture arrives;
The prompt unit, in the case where the second judgment unit judging result is to be, having prompted the user with spilling Attack.
15. a kind of electronic equipment, which is characterized in that including:Processor, memory, communication interface and bus;
The processor, the memory are connected by the bus with the communication interface and complete mutual communication;
The memory stores executable program code;
The processor is run and the executable program by reading the executable program code stored in the memory The corresponding program of code requires the module loading method described in 1 to 7 any one for perform claim.
CN201510544043.0A 2015-08-28 2015-08-28 Module loading method and device and electronic equipment Active CN105205400B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510544043.0A CN105205400B (en) 2015-08-28 2015-08-28 Module loading method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510544043.0A CN105205400B (en) 2015-08-28 2015-08-28 Module loading method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN105205400A CN105205400A (en) 2015-12-30
CN105205400B true CN105205400B (en) 2018-10-16

Family

ID=54953074

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510544043.0A Active CN105205400B (en) 2015-08-28 2015-08-28 Module loading method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN105205400B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101315655A (en) * 2008-07-01 2008-12-03 华为技术有限公司 Method and apparatus for preventing overflow attack of buffer area
CN102831339A (en) * 2012-07-19 2012-12-19 北京奇虎科技有限公司 Method, device and browser for protecting webpage against malicious attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9218490B2 (en) * 2011-12-30 2015-12-22 Intel Corporation Using a trusted platform module for boot policy and secure firmware

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101315655A (en) * 2008-07-01 2008-12-03 华为技术有限公司 Method and apparatus for preventing overflow attack of buffer area
CN102831339A (en) * 2012-07-19 2012-12-19 北京奇虎科技有限公司 Method, device and browser for protecting webpage against malicious attack

Also Published As

Publication number Publication date
CN105205400A (en) 2015-12-30

Similar Documents

Publication Publication Date Title
CN105589657A (en) Method and device for realizing mounting of mobile storage
CN104166621B (en) A kind of data processing method and device
CN103500116A (en) Method and system for clearing data generated by application program
CN107423369A (en) A kind of method and device for handling file to be deleted
CN104361285A (en) Method and device for detecting security of application programs of mobile devices
CN108170438A (en) A kind of application program automatic installation method, terminal and computer-readable medium
CN105991415A (en) Message pushing method and mobile terminal
CN104750575A (en) Restoring method and device for mobile terminal operating system
US20090271449A1 (en) Work support apparatus for information processing device
CN110413577A (en) Data-erasure method, device, electronic equipment and computer readable storage medium
CN106503065A (en) The method and system of data transfer
CN102222189A (en) Method for protecting operating system
CN105205400B (en) Module loading method and device and electronic equipment
CN105229658A (en) The safety feature of data handling system and safety method
CN104765631B (en) A kind of application recovery method and device of mobile terminal
CN107203417B (en) Data cleaning method, related device and electronic equipment
CN106484449A (en) A kind of application management method and device
CN105740098A (en) Determination method and system for stale data among backup data
CN104412274B (en) Portable terminal and control method
CN104298548A (en) Information processing method and electronic device
CN111538994A (en) System security detection and repair method, device, storage medium and terminal
CN104615387B (en) Mobile unit and its design method based on XPE systems
CN106203121A (en) Method and device for preventing malicious modification of kernel address and terminal
CN106250992A (en) Task processing method in a kind of mobile electronic device and device
CN103942043B (en) A kind of method and device for managing mobile terminal desktop icon

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20181214

Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Patentee after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing

Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.